I’m grumpy today. Clickbait journalism annoys me, and WordPress security related clickbait journalism especially annoys me.
Ars Technica, PC World, ZD Net, and TripWire are just a few sites that reported over a million WordPress sites were susceptible to being hacked after a vulnerability was discovered by Sucuri.
Except, you know, that it’s not true.
The vulnerability report by Sucuri is perfectly fine, and does a good job. Honestly I’ve never paid Slimstat any attention until now, but it’s a stats solution that doesn’t rely on Google Analytics. Anyway, these articles are all based on the download count from WordPress.org, which shows the plugin has been downloaded over a million times.
Yes, it makes me mad that these articles say a million plus. But is my frustration misdirected? What it reminds me of, is that the download counter on WordPress.org is confusing. It counts downloads, not installs. And one install counts new downloads with each upgrade.
So really, the download count is not helpful; but it does equip non-familiar news sites with ammo when a vulnerability comes out.
I believe the WordPress.org team has actual install data and not just download data. I think it is past time that we put that data to use, and get real numbers.
I asked Otto Wood what he could tell me about Slimstat. He said that it has been downloaded around 20,000 times in the week since the vulnerability was discovered. So the likely install count is far, far less than a million. Even if only 10% of all installs have updated, that’s still less than 20% of those estimated numbers in headlines.
Download counts are doing more harm and causing more misinformation than they are doing good. Even when spun in a positive light, plugin makers are celebrating and marketing download milestones that are completely arbitrary.
Let’s change it. Let’s get real install numbers and ditch the download count as a highly visible metric. It’s time.